b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  Weaknesses in Business Resumption Plans\n                   Could Delay Recovery From a Disaster\n\n\n\n                                      September 17, 2008\n\n                              Reference Number: 2008-20-178\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 17, 2008\n\n\n MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Weaknesses in Business Resumption Plans Could\n                             Delay Recovery From a Disaster (Audit # 200820013)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) business resumption plans are adequate to restore critical business processes after a\n disaster or an emergency event. We reviewed the plans prepared by business functions that\n perform the IRS\xe2\x80\x99 critical processes at sites where the largest number of employees work. This\n review was included in the Treasury Inspector General for Tax Administration Fiscal Year 2008\n Annual Audit Plan and was part of the Information Systems Programs business unit\xe2\x80\x99s statutory\n requirements to annually review the adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n Business resumption plans are designed to help the IRS recover, restore, and resume normal\n business operations after a disaster or an emergency. However, the IRS business resumption\n plans we reviewed were not adequately completed and would not facilitate the efficient recovery\n of critical business processes. An extended disruption to IRS facilities could affect key\n processes such as collecting taxes, processing tax returns and refunds, and responding to\n taxpayer inquiries. Processing delays could ultimately have a negative impact on the nation\xe2\x80\x99s\n economy and future taxpayer compliance.\n\n Synopsis\n The IRS\xe2\x80\x99 ability to recover its critical processes is strengthened by its extensive redundant\n operations and its experience in recovering from previous disasters and emergency incidents.\n However, most of the sample of 65 business resumption plans prepared by IRS business\n functions that we reviewed lacked detailed planning and recovery strategies that would facilitate\n\x0c               Weaknesses in Business Resumption Plans Could Delay Recovery\n                                      From a Disaster\n\n\n\nan efficient recovery of the IRS business processes. For example, several plans did not\n1) identify an alternate facility and the amount of space, furniture, and equipment needed at the\nalternate facility, 2) identify information technology systems and applications that are required to\nrecover critical business processes, and 3) document employees\xe2\x80\x99 emergency contact information\nand the vital records needed by employees to perform their duties.\nSome business resumption team leaders were cognizant of the details and strategies they would\nfollow after a disaster, but they did not document this information in their business resumption\nplans. Documentation of the recovery procedures and strategies in the business resumption plans\nwould facilitate recovery and could be crucial if key employees are unavailable after a disaster.\nThe lack of detail in business resumption plans is generally due to control weaknesses and\ninsufficient oversight. Some business functions did not establish a review process or a central\nrepository to ensure the quality and control of the plans. The Physical Security and Emergency\nPreparedness office created two templates to guide business functions on how to prepare the\nplans. However, the business functions often used different templates because use of the\ntemplates was not mandatory. In addition, the Emergency Management and Preparedness\nExecutive Steering Committee, which is responsible for overseeing the business resumption\nplans, has met only once since being established in July 2004.\nComprehensive testing is also crucial to the viability of business resumption plans. The plans are\nrequired to be tested and updated each year. However, the business units had not tested\n35 (54 percent) of the 65 plans in Calendar Year 2007. When plans were tested, the scopes were\ninsufficient to identify gaps, omissions, and weaknesses in the plans. In addition, 25 (38 percent)\nof the 65 plans we evaluated had not been updated in Calendar Year 2007. We attributed these\nconditions to a lack of emphasis by management.\n\nRecommendations\nTo ensure the viability of business resumption plans, the Chief, Agency-Wide Shared Services,\nshould 1) instruct business units with a significant number of sites to establish a business\nresumption coordinator position to a) perform a quality review of each business resumption plan\nwithin the function and b) create and maintain a central repository to control the plans,\n2) mandate use of the Physical Security and Emergency Preparedness office templates and\nrequire all business resumption coordinators to periodically brief the Emergency Management\nand Preparedness Executive Steering Committee on the completeness and adequacy of the\nbusiness resumption plans, 3) develop specific testing requirements and procedures for business\nresumption plans based on risk, and 4) instruct the Emergency Management and Preparedness\nExecutive Steering Committee to require business units to plan and conduct testing, document\ntest results, and update business resumption plans annually, as well as monitor testing activities\nconducted by the business units.\n\n\n                                                                                                   2\n\x0c               Weaknesses in Business Resumption Plans Could Delay Recovery\n                                      From a Disaster\n\n\n\n\nResponse\nThe IRS agreed with our recommendations. The Chief, Agency-Wide Shared Services will\n1) coordinate the establishment of full-time business coordinator positions, as appropriate, to\nenhance the business unit continuity program, and 2) direct the use of standardized continuity\ntemplates that will be developed by the Physical Security and Emergency Preparedness office.\nThe Emergency Management and Preparedness Executive Steering Committee will receive\nperiodic briefings from select business coordinators. Lastly, the IRS will develop criteria for a\nmulti-year testing, training, and exercise strategy. This strategy will be consistent with Federal\nGovernment continuity directives. Management\xe2\x80\x99s complete response to the draft report is\nincluded as Appendix V.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                     3\n\x0c                    Weaknesses in Business Resumption Plans Could Delay Recovery\n                                           From a Disaster\n\n\n\n\n                                              Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Ability to Recover Critical Processes Is Strengthened by\n          Redundant Operations and Experience With Major Disasters .....................Page 3\n          Resumption of Processes Could Be Delayed Due to Inadequate\n          Planning ........................................................................................................Page 4\n                    Recommendations 1 and 2: ................................................Page 7\n\n          Business Resumption Plans Need Comprehensive Testing..........................Page 7\n                    Recommendations 3 and 4: ................................................Page 9\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 10\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 12\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 13\n          Appendix IV \xe2\x80\x93 Business Resumption Plans Evaluated ................................Page 14\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 17\n\x0c       Weaknesses in Business Resumption Plans Could Delay Recovery\n                              From a Disaster\n\n\n\n\n                       Abbreviations\n\nIRS              Internal Revenue Service\nPSEP             Physical Security and Emergency Preparedness\n\x0c                 Weaknesses in Business Resumption Plans Could Delay Recovery\n                                        From a Disaster\n\n\n\n\n                                            Background\n\nHomeland Security Presidential Directive-201 requires that Federal Government agencies\ndevelop business continuity plans to enable the recovery of critical functions after a disaster or\nemergency. To comply with the Directive, the Internal Revenue Service (IRS) must develop and\ncontinually update its business continuity plans to enable the efficient recovery of its critical\nprocesses. This goal is difficult due to the wide range of incidents that could disrupt IRS\noperations such as natural disasters, accidents, power outages, and terrorist attacks.\nAn extended disruption to IRS facilities could affect key processes such as collecting taxes,\nprocessing tax returns and refunds, and responding to taxpayer inquiries. In Fiscal Year 2007,\nthe IRS processed more than 235 million tax returns and collected almost $2.7 trillion. The IRS\nalso issued about 117 million refunds totaling $295 billion. Processing delays could ultimately\nhave a negative impact on the nation\xe2\x80\x99s economy and future taxpayer compliance.\nTo recover critical processes after an incident, the IRS uses one or more of the following\nintegrated Plans:\n    \xe2\x80\xa2   Incident Management Plan \xe2\x80\x93 The overall coordinated actions management must take to\n        ensure recovery and restoration of critical business processes.\n    \xe2\x80\xa2   Occupant Emergency Plan \xe2\x80\x93 A set of response procedures and actions taken during the\n        onset of an emergency to minimize the effect of the incident. It includes building\n        evacuation, shelter-in-place, and employee safety procedures.\n    \xe2\x80\xa2   Business Resumption Plan \xe2\x80\x93 A guide to prioritized reestablishment of business processes\n        after an incident. It includes the advance planning and preparations necessary to\n        minimize loss and ensure continuity of the critical business processes.\n    \xe2\x80\xa2   Disaster Recovery Plan \xe2\x80\x93 A guide to recovery of the information technology\n        infrastructure, network, hardware, systems, applications, and operating systems.\nThe relationship among the four Plans is represented in Figure 1.\n\n\n\n\n1\n National Continuity Policy, dated May 4, 2007 (also known as National Security Presidential Directive\xe2\x80\x9351). This\nDirective establishes a comprehensive national policy on the continuity of Federal Government structures and\noperations and a single National Continuity Coordinator responsible for coordinating the development and\nimplementation of Federal Government continuity policies.\n                                                                                                         Page 1\n\x0c                 Weaknesses in Business Resumption Plans Could Delay Recovery\n                                        From a Disaster\n\n\n\n                 Figure 1: Relationship of IRS Business Continuity Plans\n\n\n\n\n    Source: Agency-Wide Shared Services. IT = Information Technology. BCP = Business Continuity Program.\n    OEP = Occupant Emergency Plan. IMP = Incident Management Plan. BRP = Business Resumption Plan.\n    DRP = Disaster Recovery Plan.\n\nWe previously reported the results of our review of IRS disaster recovery plans2 and are\ncurrently performing a separate review of IRS incident management plans and occupant\nemergency plans. We plan to consolidate results of those reviews with our results in this report\nthat focus on business resumption plans and present them in a subsequent report on the overall\nIRS business continuity program.\nThis review was performed in the Office of Agency-Wide Shared Services at the IRS\nHeadquarters in Washington, D.C., and New Carrollton, Maryland; the IRS campuses3 in\nAtlanta, Georgia; Austin, Texas; Fresno, California; and Memphis, Tennessee; and the IRS field\noffice in Dallas, Texas, during the period November 2007 through April 2008. We conducted\nthis performance audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective. Detailed information on our audit objective,\nscope, and methodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n2\n  Disaster Recovery Issues Have Not Been Effectively Resolved, but Progress Is Being Made (Reference\nNumber 2008-20-061, dated February 29, 2008).\n3\n  Campuses are the data processing arm of the IRS. They process paper and electronic submissions, correct errors,\nand forward data to the Computing Centers for analysis and posting to taxpayer accounts.\n                                                                                                           Page 2\n\x0c               Weaknesses in Business Resumption Plans Could Delay Recovery\n                                      From a Disaster\n\n\n\n\n                                 Results of Review\n\nThe Ability to Recover Critical Processes Is Strengthened by\nRedundant Operations and Experience With Major Disasters\nThe IRS\xe2\x80\x99 ability to recover its critical processes is strengthened by its extensive redundant\noperations located throughout the nation. Each critical process is carried out at multiple\nlocations, allowing the IRS to take advantage of its experienced workforce and similarly situated\nfacilities to recover from an emergency. Even without adequate business resumption plans, we\nbelieve that the IRS could redirect work to other locations by making ad hoc decisions.\nHowever, this ability does not diminish the need for business resumption plans. Upfront\nplanning is necessary to expedite recovery, particularly considering the criticality of some IRS\nprocesses.\nThe IRS can also benefit from its experience in recovering from previous disasters and\nemergency incidents. For example:\n    \xe2\x80\xa2   On June 25, 2006, the IRS National Headquarters building flooded during record rainfall\n        and sustained extensive damage to its infrastructure. IRS officials reported activating\n        several of the agency\xe2\x80\x99s emergency operations plans. A review by the Government\n        Accountability Office showed that while the IRS plans helped guide its response to the\n        flood, in more severe emergency events, conditions could be less favorable to recovery.4\n    \xe2\x80\xa2   Hurricane Katrina made landfall on August 29, 2005. It caused unprecedented damage to\n        New Orleans, Louisiana, as well as the coastal areas of Mississippi and Alabama.\n        Hurricane Rita followed less than 1 month later and further damaged New Orleans and\n        the Gulf Coast area of Texas. The IRS had 25 offices affected by the Hurricanes, many\n        of which were closed for short durations due to sustained power outages. Five offices\n        received significant damage, which forced closure for longer periods of time. By taking\n        aggressive actions after the storms, the IRS was able to relocate its employees and restore\n        operations.\n    \xe2\x80\xa2   In 2001 and 2002, a number of government offices received mail or packages that\n        contained or seemed to contain the anthrax virus. While no IRS facility received any\n        mail that actually contained anthrax, mail-handling procedures were upgraded to address\n        the possibility. For example, mailrooms in all facilities were isolated, self-contained\n\n4\n IRS EMERGENCY PLANNING: Headquarters Plans Supported Response to 2006 Flooding, but Additional\nGuidance Could Improve All Hazard Preparedness (GAO-07-579, dated April 2007).\n                                                                                              Page 3\n\x0c               Weaknesses in Business Resumption Plans Could Delay Recovery\n                                      From a Disaster\n\n\n\n       ventilation systems were installed at all campus mailrooms so that the rooms could be\n       shut off from the remainder of the facilities, and hazardous material training and\n       protective equipment were provided to pertinent employees.\n\nResumption of Processes Could Be Delayed Due to Inadequate\nPlanning\nThe IRS Physical Security and Emergency Preparedness (PSEP) office provides detailed\nguidance to business functions on how to prepare a business resumption plan. The guidance\nincludes templates for preparing a comprehensive or a simplified plan. Large sites with a\nsignificant number of employees should use the comprehensive template, and smaller sites with\nfew employees should use the simplified template to prepare their business resumption plans.\nThe PSEP office also provides a Quick Review Checklist with detailed guidance that is\ncommensurate with the requirements in Homeland Security Presidential Directive-20 and the\nIRS\xe2\x80\x99 internal procedures.\nA complete business resumption plan should include details such as:\n   \xe2\x80\xa2   A list and description of critical business processes that are conducted by the business\n       function at the site.\n   \xe2\x80\xa2   Procedures for recovering each of the critical processes and sub-processes described in\n       the business resumption plan.\n   \xe2\x80\xa2   Other locations that perform the same business processes as those performed at the site\n       covered by the plan.\n   \xe2\x80\xa2   The vital records needed by the employees to perform their duties.\n   \xe2\x80\xa2   The amount of space, furniture, and equipment (e.g., copiers, printers, fax machines) that\n       will be required.\nEach IRS business function at each site is responsible for developing its own business\nresumption plan. Each plan has a point of contact or business resumption team leader\nresponsible for developing and maintaining the plan. The business resumption team leader or\npoint of contact for each function at each site should ensure that the key details emphasized by\nthe PSEP office are developed and maintained in the function\xe2\x80\x99s business resumption plan.\nHowever, most of the plans we evaluated lacked detailed planning and recovery strategies that\nwould facilitate an efficient recovery of the IRS business processes. Our review of a sample of\n65 business resumption plans determined that they did not:\n   \xe2\x80\xa2   Include procedures for recovering each of the critical processes and sub-processes\n       described in the business resumption plans \xe2\x80\x93 16 plans (25 percent).\n\n\n                                                                                            Page 4\n\x0c               Weaknesses in Business Resumption Plans Could Delay Recovery\n                                      From a Disaster\n\n\n\n   \xe2\x80\xa2   Identify an alternate facility that could be used for recovering critical processes \xe2\x80\x93\n       40 plans (62 percent). In some instances, an alternate site was not feasible or was\n       deemed cost-prohibitive. In these instances, the critical processes would be rerouted to\n       another IRS work site. However, the plans did not document this recovery strategy.\n   \xe2\x80\xa2   Document the amount of space, furniture, and equipment (e.g., copiers, printers, and fax\n       machines) that would be required at the alternate facility \xe2\x80\x93 25 plans (38 percent).\n   \xe2\x80\xa2   Document other locations that perform the same critical business processes and\n       sub-processes as those performed at the site covered by the plan \xe2\x80\x93 43 plans (66 percent).\n   \xe2\x80\xa2   Identify information technology systems and applications that are required to recover\n       critical business processes \xe2\x80\x93 10 plans (15 percent).\n   \xe2\x80\xa2   Identify the vital records needed by the employees to perform their duties \xe2\x80\x93\n       13 plans (20 percent). Some business resumption team leaders informed us that they had\n       no vital records. Others stated that their vital records were electronic and accessible\n       through the IRS network. However, the business resumption plans did not document\n       these key details and recovery strategies.\n   \xe2\x80\xa2   Include basic contact information such as a list of internal business contacts and\n       emergency contact information \xe2\x80\x93 20 plans (31 percent).\n   \xe2\x80\xa2   Include a list of the employees and their emergency contact information \xe2\x80\x93\n       21 plans (32 percent). IRS officials informed us that they have previously used an\n       automated system available to all IRS managers to contact employees because this\n       system is more current and easier to maintain than a contact list in a business resumption\n       plan. However, this recovery strategy is not documented in the business resumption\n       plans.\nTo determine whether planning information was documented elsewhere, we followed up on\n15 of the 65 business resumption plans in 6 locations by interviewing the business resumption\nteam leaders and reviewing other available documentation. The indepth reviews confirmed the\nresults of our initial evaluation because we were able to locate sufficient business resumption\ninformation in other documentation for only 2 of the 15 plans.\nBased on our interviews, we are confident that some business resumption team leaders knew the\nnecessary details and recovery strategies. However, when details and strategies are not\ndocumented, resumption of critical processes could be delayed, particularly if the team leaders\nare unavailable after an emergency.\nThe lack of detail in business resumption plans is generally due to control weaknesses and\ninsufficient oversight. The business resumption plans lack details for several specific reasons.\n\n\n\n                                                                                            Page 5\n\x0c                 Weaknesses in Business Resumption Plans Could Delay Recovery\n                                        From a Disaster\n\n\n\n    \xe2\x80\xa2   The Wage and Investment Division, Large and Mid-Size Business Division, Small\n        Business/Self-Employed Division, Tax Exempt and Government Entities Division, and\n        Taxpayer Advocate Service5 did not establish controls adequate to ensure the\n        completeness of each business resumption plan. The Wage and Investment Division\n        implemented a certification process for business resumption plans at the IRS campuses.\n        However, the certification process is not a thorough quality review of the contents and\n        viability of the plans. It does not provide adequate assurance that the plans would enable\n        the business function to efficiently recover the critical processes.\n        The Criminal Investigation Division, Chief Financial Officer organization, and Office of\n        Chief Counsel have implemented adequate controls. These organizations established an\n        independent quality review process for their business resumption plans. The plans were\n        more complete and included more of the key details and required information. These\n        functions are also smaller and have fewer employees, sites, and business resumption\n        plans.\n    \xe2\x80\xa2   Inconsistent use of business resumption templates by business functions contributed to\n        preparation of incomplete and inadequate plans. The PSEP office does not mandate use\n        of its two business resumption plan templates. Twelve different templates were used by\n        the 8 IRS business functions that prepared the 65 business resumption plans we\n        evaluated. Some functions used different templates within their own organizations.\n        Inconsistent use of developed templates increases the risk that plans will be incomplete.\n    \xe2\x80\xa2   In July 2004, the IRS established the Emergency Management and Preparedness\n        Executive Steering Committee to help develop agency-wide policies, standards, and\n        guidelines for continuity planning. However, this Committee has met only once since\n        December 2007 and has not taken actions sufficient to ensure that business functions\n        adhere to business resumption guidelines.\n    \xe2\x80\xa2   Four of the eight business functions have not established a central repository to control\n        their business resumption plans. A central repository is necessary to account for all of the\n        plans that should be completed at sites where the business function has operations and to\n        monitor the business resumption program. A central repository would facilitate the\n        review of the plans, help manage updates to the plans, and ensure ready access to the\n        most current plan in the event of a disaster or an emergency event.\n\n\n\n\n5\n  The Taxpayer Advocate Service is an independent organization within the IRS created by Congress to help\ntaxpayers resolve problems with the IRS and recommend changes to prevent the problems.\n                                                                                                            Page 6\n\x0c                  Weaknesses in Business Resumption Plans Could Delay Recovery\n                                         From a Disaster\n\n\n\nRecommendations\nThe Chief, Agency-Wide Shared Services, should:\nRecommendation 1: Instruct business units with a significant number of sites to establish a\nbusiness resumption coordinator position to 1) perform a quality review of each business\nresumption plan prepared by the business resumption team leader at a site within the function,\nand 2) create and maintain a central repository in each business unit to account for and control\nthe business resumption plans.\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Chief,\n         Agency-Wide Shared Services, will coordinate the establishment of full-time business\n         coordinator positions, as appropriate, to enhance the business unit continuity program.\nRecommendation 2: Require all business functions to use the PSEP office business\nresumption plan templates and require all functions\xe2\x80\x99 business resumption coordinators to\nperiodically brief the Emergency Management and Preparedness Executive Steering Committee\non the completeness and adequacy of the business resumption plans.\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Chief,\n         Agency-Wide Shared Services, will direct the use of standardized continuity templates\n         developed by the Physical Security and Emergency Preparedness office. In addition, the\n         Emergency Management and Preparedness Executive Steering Committee will receive\n         periodic briefings from select business coordinators.\n\nBusiness Resumption Plans Need Comprehensive Testing\nTesting business resumption plans is critical to ensuring the viability of the plans. Testing\nvalidates the recovery strategies, assumptions, and procedures against likely disasters or\nemergency events. The gaps and weaknesses in the plans should be identified and documented\nduring comprehensive testing, which allows management to update and strengthen the plans.\nHomeland Security Presidential Directive-20 requires Federal Government agencies to conduct\nannual tests of business resumption plans. To comply with this Directive and other Directives\nfrom the Department of Homeland Security,6 the PSEP office provided testing guidance to the\nIRS business functions. It advised IRS business functions that the best way to determine whether\nbusiness resumption plans are viable is to train those who have roles and responsibilities\nidentified in the plan and then conduct tests to determine whether the plans work. This guidance\n\n\n\n6\n Homeland Security Presidential Directive-5, Management of Domestic Incidents; Homeland Security Presidential\nDirective-7, Critical Infrastructure Identification, Prioritization, and Protection; and Homeland Security Presidential\nDirective-8, National Preparedness.\n                                                                                                               Page 7\n\x0c                 Weaknesses in Business Resumption Plans Could Delay Recovery\n                                        From a Disaster\n\n\n\nis designed to determine whether team members know and understand their roles and\nresponsibilities and how they relate to those of others.\nGenerally, five types of tests can be conducted to assess business resumption plans:7\n    \xe2\x80\xa2   Checklist test \xe2\x80\x93 This test involves reviewing the plan for content, completeness, and\n        adherence to criteria.\n    \xe2\x80\xa2   Tabletop test \xe2\x80\x93 The business resumption team meets and verbally describes what\n        activities, procedures, and tasks it will follow.\n    \xe2\x80\xa2   Parallel test \xe2\x80\x93 This test evaluates the recovery of processes at alternate sites without\n        disrupting operations at the normal work site.\n    \xe2\x80\xa2   Simulation test \xe2\x80\x93 This test is a combination of simulations and actual operations transfers\n        and might require some units to cease operations for the test period.\n    \xe2\x80\xa2   Full-interruption test \xe2\x80\x93 The organization activates all components of the business\n        resumption plan.\nThe IRS does not conduct complete tests in a timely manner to ensure the viability of its business\nresumption plans. The business units had not tested 35 (54 percent) of the 65 business\nresumption plans during Calendar Year 2007. For the 30 plans that were tested, the scopes\nconsisted of tabletop exercises. Participants, such as a Senior Commissioner\xe2\x80\x99s Representative,8 a\nsite coordinator, and a business resumption team leader, met and discussed how they would\nhandle various emergencies or disasters. This type of testing is insufficient to identify gaps,\nomissions, and weaknesses in the plans. In addition, the results and weaknesses identified during\nthe tests were not documented. As discussed previously, the results of testing should be\ndocumented and the business resumption plans should be updated. In our sample of 65 business\nresumption plans, 25 (38 percent) had not been updated during Calendar Year 2007.\nWe attribute the insufficient testing to a lack of emphasis by IRS management. The IRS\nprocedures for business resumption do not address testing. The PSEP office web site does not\nprovide specific testing requirements. The PSEP office acknowledges that tabletop exercises are\nthe most common type of testing at the IRS, but it does not require or encourage more\ncomprehensive testing of the business resumption plans.\nLack of comprehensive testing results in weak plans that will not facilitate the efficient recovery\nof the IRS\xe2\x80\x99 critical business processes. The weaknesses in the plans will become evident after a\ndisaster or an emergency occurs.\n\n\n7\n  Akhtar Syed and Afsar Syed, Business Continuity Planning Methodology (Mississauga, Ontario, Canada: Sentryx,\n2004), 203-213.\n8\n  The individual designated by the IRS Commissioner to serve as the point of contact on matters affecting more than\none IRS Division in a specified geographical area.\n                                                                                                           Page 8\n\x0c               Weaknesses in Business Resumption Plans Could Delay Recovery\n                                      From a Disaster\n\n\n\nRecommendations\nThe Chief, Agency-Wide Shared Services, should:\nRecommendation 3: Develop specific testing requirements and procedures for business\nresumption plans based on risk. Critical processes such as those we reviewed should be tested\nusing comprehensive testing techniques such as parallel, simulation, or full-interruption tests.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Chief,\n       Agency-Wide Shared Services, will develop criteria for a multi-year testing, training, and\n       exercise strategy. This strategy will be consistent with Federal Government continuity\n       directives.\nRecommendation 4: Instruct the Emergency Management and Preparedness Executive\nSteering Committee to 1) require business units to plan and conduct testing, document test\nresults, and update business resumption plans annually, and 2) monitor testing activities\nconducted by the business units to ensure that the scopes of tests are sufficient to identify gaps\nand weaknesses in the plans.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Chief,\n       Agency-Wide Shared Services, will develop a multi-year testing, training, and exercise\n       strategy that is consistent with Federal Government continuity directives.\n\n\n\n\n                                                                                              Page 9\n\x0c              Weaknesses in Business Resumption Plans Could Delay Recovery\n                                     From a Disaster\n\n\n\n                                                                                Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS business resumption plans\nare adequate to restore critical business processes after a disaster or an emergency event. To\naccomplish this objective, we:\nI.     Determined whether the IRS had prepared business resumption plans that addressed all\n       critical processes.\n       A. For the 2,643 business resumption plans required by the IRS, determined the number\n          of plans that had not been completed.\n       B. For those plans that had not been completed, determined the cause and whether the\n          plans should have addressed any of the critical processes.\nII.    Determined whether business resumption plans were prepared in accordance with Federal\n       Emergency Management Agency, Department of the Treasury, and IRS guidelines.\n       A. Identified prior (IRS, Treasury Inspector General for Tax Administration, and\n          Government Accountability Office) business resumption plan recommendations and\n          determined the status of their implementation.\n       B. Reviewed the templates developed by the IRS for preparation of a business\n          resumption plan to determine whether they were complete, adhered to guidance and\n          criteria, and addressed each of the IRS\xe2\x80\x99 18 critical business processes.\n       C. Selected a sample of locations carrying out critical business processes and reviewed\n          their business resumption plans to determine whether a plan existed, was current, and\n          was complete. To select the plans, we identified the IRS\xe2\x80\x99 critical processes, the\n          business units that perform these processes, and the buildings in which the highest\n          number of employees who perform these critical processes are located. We selected\n          70 business resumption plans (from a population of 2,643 plans) for locations where\n          critical processes are performed by the largest number of employees. We used\n          judgmental sampling because a random sample would have yielded some sites where\n          few employees work. We selected only sites where a disaster would affect the most\n          number of employees and cause the biggest disruption. Because some plans covered\n          more than 1 location, we received and reviewed 65 plans (see Appendix IV for details\n          about the plans selected).\n           1. Determined whether a committee or working group was established to prepare the\n              plan and, if so, determined the members of the committee.\n\n                                                                                       Page 10\n\x0c              Weaknesses in Business Resumption Plans Could Delay Recovery\n                                     From a Disaster\n\n\n\n          2. Determined whether the plans contained the following elements:\n              \xe2\x80\xa2   List of critical personnel.\n              \xe2\x80\xa2   Identification of vital records and backup location.\n              \xe2\x80\xa2   Critical equipment needs.\n              \xe2\x80\xa2   Names and telephone numbers for purposes of recovery/replacement/repair of\n                  equipment, records, etc.\n              \xe2\x80\xa2   Emergency telephone numbers.\n              \xe2\x80\xa2   Security requirements.\n              \xe2\x80\xa2   Communication needs.\nIII.   Determined whether the IRS conducted timely and complete tests to ensure the viability\n       of business resumption plans in the event of an incident.\n       A. Determined whether the IRS had implemented adequate policies and procedures to\n          ensure that plans are tested and maintained.\n          1. Identified the methodology used by IRS management to monitor the status of\n             business resumption plan training and testing nationwide.\n          2. For the 65 sampled business resumption plans, determined whether they had been\n             properly tested. For any plan that had not been tested, we determined the cause.\n          3. Evaluated the methods used to assess the test results to ensure timely\n             implementation of plan modifications as necessary.\n       B. Reviewed the results of tests on sampled business resumption plans to determine\n          whether weaknesses identified during testing were corrected in a timely manner.\n          1. Identified who was responsible for taking corrective actions on weaknesses\n             identified during testing of the business resumption plans.\n          2. Reviewed the results of documented training, testing, and exercises and\n             determined whether the actions to correct the weaknesses were completed in a\n             timely manner.\nIV.    Evaluated the National Headquarters office methodology for monitoring the business\n       resumption plan program.\n       A. Determined where and how business resumption plans were maintained.\n       B. Determined whether business resumption plans were reviewed for quality\n          independently of the preparer.\n       C. Determined whether a \xe2\x80\x9cchange control process\xe2\x80\x9d was used to update and revise plans.\n\n\n\n                                                                                       Page 11\n\x0c              Weaknesses in Business Resumption Plans Could Delay Recovery\n                                     From a Disaster\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nPreston Benoit, Acting Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nWilliam Allen Gray, Audit Manager\nDavid Brown, Senior Auditor\nGeorge Franklin, Senior Auditor\nMichelle Griffin, Senior Auditor\n\n\n\n\n                                                                                      Page 12\n\x0c             Weaknesses in Business Resumption Plans Could Delay Recovery\n                                    From a Disaster\n\n\n\n                                                                           Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nChief Counsel CC\nNational Taxpayer Advocate TA\nCommissioner, Large and Mid-Size Business Division SE:LM\nCommissioner, Small Business/Self-Employed Division SE:S\nCommissioner, Tax Exempt and Government Entities Division SE:T\nCommissioner, Wage and Investment Division SE:W\nChief, Criminal Investigation SE:CI\nChief Financial Officer OS:CFO\nChief Information Officer OS:CIO\nDirector, Agency-Wide Shared Services, Employee Support Services OS:A:ESS\nDirector, Agency-Wide Shared Services, Physical Security and Emergency Preparedness\nOS:A:PSEP\nDirector, Program Oversight OS:CIO:SM:PO\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief, Agency-Wide Shared Services OS:A\n       Chief Information Officer OS:CIO\n\n\n\n\n                                                                                      Page 13\n\x0c                 Weaknesses in Business Resumption Plans Could Delay Recovery\n                                        From a Disaster\n\n\n\n                                                                                              Appendix IV\n\n                Business Resumption Plans Evaluated\n\nWe reviewed 65 business resumption plans from 8 IRS business operating divisions that perform\nthe highest number of critical processes. We also selected plans at sites where the highest\nnumber of employees would be affected by a disaster or an emergency event. Figure 1 identifies\nthe number of plans we evaluated from each of the eight business operating divisions. Figure 2\nidentifies the specific office locations for the plans reviewed.\n                       Figure 1: Business Resumption Plans Reviewed\n                               (by Business Operating Division)\n                    Chief Financial Officer                                               2\n                    Criminal Investigation Division                                       5\n                    Large and Mid-Size Business Division                                 11\n                    Office of Chief Counsel                                               4\n                    Small Business/Self-Employed Division                                13\n                    Tax Exempt and Government Entities Division                           5\n                    Taxpayer Advocate Service1                                           12\n                    Wage and Investment Division                                         13\n                                         Total                                           65\n                   Source: Our review of a sample of business resumption plans.\n\n             Figure 2: Business Resumption Plans Reviewed (by Location)\n       Business Operating Division               Bldg. No.        City                   State\n          Chief Financial Officer                WV0171           Beckley                West Virginia\n                                                 DC0022           Washington             District of Columbia\n       Criminal Investigation Division           DC0022           Washington             District of Columbia\n                                                 KY2020           Florence               Kentucky\n                                                 CA7347           Fresno                 California\n                                                 IL0236           Chicago                Illinois\n                                                 PA0277           Philadelphia           Pennsylvania\n    Large and Mid-Size Business Division         NY7013           New York               New York\n                                                 TX0298           Houston                Texas\n                                                 TX0302           Farmers Branch         Texas\n                                                 IL0236           Chicago                Illinois\n                                                 CA6218           Glendale               California\n                                                 CA0154           San Francisco          California\n\n\n1\n  The Taxpayer Advocate Service is an independent organization within the IRS created by Congress to help\ntaxpayers resolve problems with the IRS and recommend changes to prevent the problems.\n                                                                                                       Page 14\n\x0c               Weaknesses in Business Resumption Plans Could Delay Recovery\n                                      From a Disaster\n\n\n\n                                              GA2004   Atlanta          Georgia\n                                              DC9914   Washington       District of Columbia\n                                              CA6116   San Jose         California\n                                              IL2337   Downers Grove    Illinois\n                                              CA0521   Laguna Niguel    California\n          Office of Chief Counsel             DC0022   Washington       District of Columbia\n                                              NY7282   New York         New York\n                                              TX0302   Farmers Branch   Texas\n                                              IL2177   Chicago          Illinois\n   Small Business/Self-Employed Division      NY0376   Holtsville       New York\n                                              PA0462   Philadelphia     Pennsylvania\n                                              TN0005   Memphis          Tennessee\n                                              KY3005   Covington        Kentucky\n                                              UT1434   Ogden            Utah\n                                              MD0278   New Carrollton   Maryland\n                                              MI1951   Detroit          Michigan\n                                              CA0281   Oakland          California\n                                              NY7013   New York         New York\n                                              CA0150   Los Angeles      California\n                                              IL0236   Chicago          Illinois\n                                              CO1656   Denver           Colorado\n                                              PA6520   Philadelphia     Pennsylvania\n        Taxpayer Advocate Service             GA2014   Atlanta          Georgia\n                                              DC0022   Washington       District of Columbia\n                                              PA0727   Philadelphia     Pennsylvania\n                                              TX0058   Dallas           Texas\n                                              TX2038   Austin           Texas\n                                              WA0101   Seattle          Washington\n                                              NY7243   Holtsville       New York\n                                              TN0005   Memphis          Tennessee\n                                              KY3005   Covington        Kentucky\n                                              FL0067   Jacksonville     Florida\n                                              GA0087   Atlanta          Georgia\n                                              MO1937   Kansas City      Missouri\nTax Exempt and Government Entities Division   OH0189   Cincinnati       Ohio\n                                              DC0560   Washington       District of Columbia\n                                              NY6470   Brooklyn         New York\n                                              MD0055   Baltimore        Maryland\n                                              TX0284   Dallas           Texas\n       Wage and Investment Division           MO1937   Kansas City      Missouri\n                                              CA4664   Fresno           California\n                                              TX2038   Austin           Texas\n                                              GA1016   Atlanta          Georgia\n                                              KY0085   Covington        Kentucky\n                                              UT0036   Ogden            Utah\n                                              MA0137   Andover          Massachusetts\n\n                                                                                      Page 15\n\x0c                 Weaknesses in Business Resumption Plans Could Delay Recovery\n                                        From a Disaster\n\n\n\n                                                GA0010         Atlanta            Georgia\n                                                CA7456         Fresno             California\n                                                TX1962         Austin             Texas\n                                                KY2032         Covington          Kentucky\n                                                UT1428         Ogden              Utah\n                                                NY0376         Holtsville         New York\nSource: Our review of a sample of business resumption plans.\n\nTo determine whether required planning details were documented in peripheral business\nresumption plan documents, we visited the locations identified in Figure 3 and interviewed the\npoint of contact or business resumption team leader. We requested the key business resumption\ninformation we had found lacking in the business resumption plans and conducted an indepth\nreview for the 15 business resumption plans, which we selected from the above list of 65 plans.\n            Figure 3: Offices Visited to Review Business Resumption Plans\n\n       Business Operating Division             Bldg. No.         City                  State\nLarge and Mid-Size Business Division           GA2004            Atlanta               Georgia\nTaxpayer Advocate Service                      GA2014\nTaxpayer Advocate Service                      GA0087\nWage and Investment Division                   GA1016\nWage and Investment Division                   GA0010\n\nTaxpayer Advocate Service                      TX2038            Austin                Texas\nWage and Investment Division                   TX2038\nWage and Investment Division                   TX1962\n\nLarge and Mid-Size Business Division           TX0302            Dallas                Texas\nTaxpayer Advocate Service                      TX0058\n\nWage and Investment Division                   CA4664            Fresno                California\nWage and Investment Division                   CA7456\n\nSmall Business/Self-Employed Division          TN0005            Memphis               Tennessee\nTaxpayer Advocate Service                      TN0005\n\n Small Business/Self-Employed Division         MD0278            New Carrollton        Maryland\nSource: Our review of a sample of business resumption plans.\n\n\n\n\n                                                                                                 Page 16\n\x0c   Weaknesses in Business Resumption Plans Could Delay Recovery\n                          From a Disaster\n\n\n\n                                                   Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 17\n\x0cWeaknesses in Business Resumption Plans Could Delay Recovery\n                       From a Disaster\n\n\n\n\n                                                      Page 18\n\x0cWeaknesses in Business Resumption Plans Could Delay Recovery\n                       From a Disaster\n\n\n\n\n                                                      Page 19\n\x0c'